Re: [paws] Alissa Cooper's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)

Alissa Cooper <alissa@cooperw.in> Wed, 24 September 2014 20:28 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: paws@ietfa.amsl.com
Delivered-To: paws@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E317C1A19E8 for <paws@ietfa.amsl.com>; Wed, 24 Sep 2014 13:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_ZjPWzMsvhy for <paws@ietfa.amsl.com>; Wed, 24 Sep 2014 13:28:23 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A141A0687 for <paws@ietf.org>; Wed, 24 Sep 2014 13:28:23 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by gateway2.nyi.internal (Postfix) with ESMTP id 9633F208ED for <paws@ietf.org>; Wed, 24 Sep 2014 16:28:21 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Wed, 24 Sep 2014 16:28:21 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=date :subject:from:to:cc:message-id:references:in-reply-to :mime-version:content-type; s=mesmtp; bh=7CtUwqp53DMaQ+sy+lYX4St LeaY=; b=Np2MOXZTxvHik9QUoZGOQV/Sf2UaXa91yRNjh+oQVSzMVoXwsegYGus JA+CZb6PAKr185SPYtRjoTbqikkmdRmzMcWT8G0b1A+rG0VP5e8zZAy/4GuLVrWF B23V1jS7uQ0+6x0ybx+MKC6d3vYeVQLD0zQALLuX1/0qG/ib4Mj8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=date:subject:from:to:cc:message-id :references:in-reply-to:mime-version:content-type; s=smtpout; bh=7CtUwqp53DMaQ+sy+lYX4StLeaY=; b=q9vjyC5IPLfVhh0K49P+GN1hvn90 60BA0OZkjN2Y1TUG1DQo3Uy7jw7hVpa8A8SHEKgO5OMB2xhGig/fp3nILesRqNVC AMn3D+jC0hqp3BLA/qyydF1tWLuRz62aHuZqdnqjPd4PyUAydV3Bq+JFL2N00kjY /MEYu/oW0JYoR4k=
X-Sasl-enc: HxB1J7gcEKHk267st/pgiEPko6bxbkcBL8GJXZhfP74V 1411590500
Received: from [171.68.18.45] (unknown [171.68.18.45]) by mail.messagingengine.com (Postfix) with ESMTPA id 74B31680181; Wed, 24 Sep 2014 16:28:18 -0400 (EDT)
User-Agent: Microsoft-MacOutlook/14.4.3.140616
Date: Wed, 24 Sep 2014 13:28:13 -0700
From: Alissa Cooper <alissa@cooperw.in>
To: Brian Rosen <br@brianrosen.net>, Vincent Chen <vchen@google.com>
Message-ID: <D0487602.5A611%alissa@cooperw.in>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)
References: <20140820165236.31862.86067.idtracker@ietfa.amsl.com> <CABEV9ROW=KhQDCU5=X+SrtPAAOwd0QgvKJh_-owQ4b1CvdNvog@mail.gmail.com> <D0388B73.57841%alissa@cooperw.in> <CABEV9ROcLstZ1gpFrYpeAo07o+pp6QPeF4ovm_GXDB8DdWCiGw@mail.gmail.com> <D0471F58.5A0A7%alissa@cooperw.in> <CABEV9RONQjut1_AYF-TDBhs_YuVBG4912GVqbaDpbEgSp50A9w@mail.gmail.com> <FB5F7B5B-04FD-4F15-8DD8-1E038839869F@brianrosen.net>
In-Reply-To: <FB5F7B5B-04FD-4F15-8DD8-1E038839869F@brianrosen.net>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3494410100_9128372"
Archived-At: http://mailarchive.ietf.org/arch/msg/paws/yfblTTczUa4jf3H3djn_P7VxSZ4
Cc: "paws@ietf.org" <paws@ietf.org>, "paws-chairs@tools.ietf.org" <paws-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-paws-protocol@tools.ietf.org
Subject: Re: [paws] Alissa Cooper's Discuss on draft-ietf-paws-protocol-14: (with DISCUSS and COMMENT)
X-BeenThere: paws@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Protocol to Access White Space database \(PAWS\)" <paws.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/paws>, <mailto:paws-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/paws/>
List-Post: <mailto:paws@ietf.org>
List-Help: <mailto:paws-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/paws>, <mailto:paws-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 20:28:28 -0000

On 9/24/14, 6:17 AM, "Brian Rosen" <br@brianrosen.net>; wrote:

> On the location issue, this is well traveled ground.
> 
> In many cases, the location of the device is no where near a boundary, and
> thus can be relatively imprecise.  As you get closer to a boundary, you need
> more precision in order to know if which side of the boundary you are on.  In
> white space, sometimes the regulator specifies the required accuracy of
> location, sometimes it doesn’t.
> 
> If you think about a canonical wireless microphone, you want location down to
> maybe 100 meters to avoid having problems with the microphone, but allow use
> of the spectrum where there is no problem of interference.  I wouldn’t want us
> to specify some default accuracy, but it really does need to be fairly
> accurate given current technology.  We’re starting to see location
> determination systems that could give us less than 2 meter accuracy in some
> environments, and that’s probably beyond what we need.
> 
> So you both are right.  Where the regulator specifies accuracy, that’s it, you
> send that, you need not send more.
> When the regulator doesn’t specify, someone has to put out a spec, and the
> clients need not send more accurate location.

Maybe we can build off of this and the text that Vince added in the –18 to
make one additional recommendation, at the end of the new paragraph in
Section 10:

“Similarly, regulators should require, and implementations should provide,
device location at a level of granularity only as precise as necessary to
support accurate database responses.”

Or something like that.

Re-reading the new text, I agree that the fingerprinting bit is covered.

Alissa

> 
> But, we’ve also looked at obfuscation when you want to report location less
> precise than what you have.  What we know is that it’s really, really hard to
> do it.
> 
> Brian
> 
> On Sep 24, 2014, at 2:57 AM, Vincent Chen <vchen@google.com>; wrote:
> 
>> Hi Alissa,
>> 
>> On Tue, Sep 23, 2014 at 1:01 PM, Alissa Cooper <alissa@cooperw.in>; wrote:
>>> Hi Vince,
>>> 
>>> Thanks. I like the text you added, but I think the bit about fingerprinting
>>> and the caution to implementations about not over-sharing that I had
>>> suggested are both important — any reason not to include them explicitly?
>> 
>> Sorry I did not respond directly to these points. Here's my train of thought.
>> 
>> 1. The whole point of the White Space Database is to give information about
>> available spectrum at a location. The location has to be precise enough for
>> the information to be valid. So it seems odd for PAWS to recommend that a
>> device give imprecise location.
>> 
>> 2. While PAWS does indicate that serial number is optional, it is unlikely
>> that a regulator will make it optional.
>> 
>> In any cases I felt the statements indicating risk of tracking covers
>> tracking via explicit information provided by the device and via implicit
>> information derived from fingerprinting.
>> 
>> -vince
>> 
>>  
>>> 
>>>>> 
>>>>> Now that the document is clear that Slave device location and serial
>>>>> number are optional (unless required by a ruleset), I think the remaining
>>>>> task on the above three points is to add a bit of text to Section 10 to
>>>>> explain the potential privacy threats from authorized databases, perhaps
>>>>> as a short paragraph or two at the end of Section 10. Something along
>>>>> these lines (just a suggestion, feel free to reject this entirely or use
>>>>> bits that you like):
>>>>> 
>>>>> "In addition to the privacy risks described above, in some cases, users of
>>>>> Master or Slave devices may open themselves up to privacy risks related to
>>>>> the secondary use of PAWS-related information by a database administrator.
>>>>> For example, in situations where rulesets require that Master or Slave
>>>>> devices uniquely identify themselves (via the DeviceDescriptor or
>>>>> DeviceOwner parameters), database administrators may be able to use that
>>>>> information to track connectivity activity over time, or they may share
>>>>> such tracking information with third parties. Where Master or Slave
>>>>> devices choose to provide or are required to provide geolocation
>>>>> information in conjunction with unique device identifiers, this capability
>>>>> may further extent to location tracking. Even where a device does not
>>>>> provide a specific unique identifier, a database administrator may be able
>>>>> to uniquely fingerprint a device based on the combination of other
>>>>> information provided in DeviceDescriptor or DeviceCapabilities parameters.
>>>>> 
>>>>> In cases where devices have a choice to not send device-identifying
>>>>> information or geolocation, or to send less granular geolocation (i.e., a
>>>>> region rather than a point), PAWS implementations can reduce the risks
>>>>> associated with secondary use by not sending that information. Where
>>>>> rulesets require this information to be sent, these risks require
>>>>> out-of-band mitigation (e.g., public statements or contractual terms
>>>>> preventing secondary use).”
>>>>> 
>>>>> Thanks,
>>>>> Alissa
>>>>> 
>>>>>>  
>>>>>>> 
>>>>>>> 
>>>>>>> ----------------------------------------------------------------------
>>>>>>> COMMENT:
>>>>>>> ----------------------------------------------------------------------
>>>>>>> 
>>>>>>> = Shepherd write-up=
>>>>>>> "An in-depth review by a JSON expert might be useful."
>>>>>>> 
>>>>>>> Did that happen?
>>>>>> 
>>>>>> Tim Bray had looked at it before final call.
>>>>>>  
>>>>>>> 
>>>>>>> = Section 1 =
>>>>>>> "It opens the door for innovations in spectrum
>>>>>>>    management that can incorporate a variety of parameters, including
>>>>>>>    user location and time.  In the future, it also can include other
>>>>>>>    parameters, such as user priority, time, signal type and power,
>>>>>>>    spectrum supply and demand, payment or micro-auction bidding, and
>>>>>>>    more."
>>>>>>> 
>>>>>>> Time seems to be listed both as a current parameter and a future one,
>>>>>>> which is confusing.
>>>>>> 
>>>>>> Agreed. The second "time" should be removed.
>>>>>>  
>>>>>>> 
>>>>>>> = Section 4.4 =
>>>>>>> "FCC rules, for example, require that a 'Fixed Device'
>>>>>>>    register its owner and operator contact information, its device
>>>>>>>    identifier, its location, and its antenna height."
>>>>>>> 
>>>>>>> It would be nice to have a citation for the rules referenced here.
>>>>>> 
>>>>>> OK.
>>>>>>  
>>>>>>> 
>>>>>>> = Section 5.1 =
>>>>>>> Feel free to ignore this if it's completely misguided, but does altitude
>>>>>>> really not matter? Are we sure this protocol won't be re-used for
>>>>>>> devices
>>>>>>> on airplanes trying to find available spectrum? (I note that in RFC
>>>>>>> 6953,
>>>>>>> requirement D.1 specifies that the data model must support "the height
>>>>>>> and its uncertainty" -- I have no idea what "the height" means or if it
>>>>>>> is related to altitude.)
>>>>>> 
>>>>>> See Section 5.3 on "height" of the antenna. It's separated out, from the
>>>>>> "latitude, longitude" specification
>>>>>> of GeoLocation. It allows specification with respect to ground level or
>>>>>> mean sea level, and is intended
>>>>>> for Fixed devices, rather than mobile devices.
>>>>>> 
>>>>>> From the current regulator's perspective, the allowed power for mobile
>>>>>> devices is low enough that
>>>>>> height does not matter.
>>>>>> 
>>>>>>  
>>>>>>> 
>>>>>>> = Section 10 =
>>>>>>> I agree with Stephen that the database operator should be considered as
>>>>>>> a
>>>>>>> potential adversary from the standpoint of potentially being able to
>>>>>>> create a fine-grained database that tracks the locations and spectrum
>>>>>>> use
>>>>>>> patterns of individual devices. That data could certainly be abused.
>>>>>>> 
>>>>>> 
>>>>>> So just listing that as a potential threat and declare that fixing this
>>>>>> as out of scope is sufficient?
>>>>>> 
>>>>>> Or do we need to state that Databases MUST not track? I can see how
>>>>>> anonymized tracking
>>>>>> can be useful for spectrum management in the future, much like anonymized
>>>>>> tracking of car locations
>>>>>> provide valuable traffic information for navigation systems.
>>>>>> 
>>>>>> -- 
>>>>>> -vince 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> -vince 
>> 
>> 
>> 
>> -- 
>> -vince 
>